Use permit! to allow arbitrary input from params

[ci skip]
7 years ago · 79a7c8472a
parent f65e1e56d9
commit 79a7c8472a
1 changed files with 1 additions and 1 deletions
--- a/lib/open_project/github_integration/hook_handler.rb
+++ b/lib/open_project/github_integration/hook_handler.rb
@ -30,7 +30,7 @@ module OpenProject::GithubIntegration
      return 403 unless user.present?

      payload = Hash.new
-      payload.merge! params.require('webhook')
+      payload.merge! params.require('webhook').permit!
      payload.merge! 'user_id' => user.id,
                     'github_event' => event_type,
                     'github_delivery' => event_delivery